|
1 | 1 | --- |
2 | 2 | title: Customer Lockbox for Microsoft Azure |
3 | 3 | description: Technical overview of Customer Lockbox for Microsoft Azure, which provides control over cloud provider access when Microsoft may need to access customer data. |
4 | | -author: cabailey |
| 4 | +author: TerryLanfear |
5 | 5 | ms.service: security |
6 | 6 | ms.subservice: security-fundamentals |
7 | 7 | ms.topic: article |
8 | | -ms.author: cabailey |
9 | | -manager: barbkess |
| 8 | +ms.author: terrylan |
| 9 | +manager: rkarlin |
10 | 10 | ms.date: 11/04/2019 |
11 | 11 | --- |
12 | 12 |
|
@@ -37,37 +37,37 @@ The following steps outline a typical workflow for a Customer Lockbox request. |
37 | 37 | - The scope of the resource |
38 | 38 | - Whether the requester is an isolated identity or using multi-factor authentication |
39 | 39 | - Permissions levels |
40 | | - |
| 40 | + |
41 | 41 | Based on the JIT rule, this request may also include an approval from Internal Microsoft Approvers. For example, the approver might be the Customer support lead or the DevOps Manager. |
42 | 42 |
|
43 | 43 | 6. When the request requires direct access to customer data, a Customer Lockbox request is initiated. For example, remote desktop access to a customer's virtual machine. |
44 | | - |
| 44 | + |
45 | 45 | The request is now in a **Customer Notified** state, waiting for the customer's approval before granting access. |
46 | 46 |
|
47 | 47 | 7. At the customer organization, the user who has the [Owner role](../../role-based-access-control/rbac-and-directory-admin-roles.md#azure-rbac-roles) for the Azure subscription receives an email from Microsoft, to notify them about the pending access request. For Customer Lockbox requests, this person is the designated approver. |
48 | | - |
| 48 | + |
49 | 49 | Example email: |
50 | | - |
| 50 | + |
51 | 51 |  |
52 | 52 |
|
53 | 53 | 8. The email notification provides a link to the **Customer Lockbox** blade in the Azure portal. Using this link, the designated approver signs in to the Azure portal to view any pending requests that their organization has for Customer Lockbox: |
54 | | - |
| 54 | + |
55 | 55 |  |
56 | | - |
| 56 | + |
57 | 57 | The request remains in the customer queue for four days. After this time, the access request automatically expires and no access is granted to Microsoft engineers. |
58 | 58 |
|
59 | 59 | 9. To get the details of the pending request, the designated approver can select the lockbox request from **Pending Requests**: |
60 | | - |
| 60 | + |
61 | 61 |  |
62 | 62 |
|
63 | 63 | 10. The designated approver can also select the **SERVICE REQUEST ID** to view the support ticket request that was created by the original user. This information provides context for why Microsoft Support is engaged, and the history of the reported problem. For example: |
64 | | - |
| 64 | + |
65 | 65 |  |
66 | 66 |
|
67 | 67 | 11. After reviewing the request, the designated approver selects **Approve** or **Deny**: |
68 | | - |
| 68 | + |
69 | 69 |  |
70 | | - |
| 70 | + |
71 | 71 | As a result of the selection: |
72 | 72 | - **Approve**: Access is granted to the Microsoft engineer. The access is granted for a default period of eight hours. |
73 | 73 | - **Deny**: The elevated access request by the Microsoft engineer is rejected and no further action is taken. |
@@ -108,13 +108,13 @@ For scenarios that involve remote desktop access, you can use Windows event logs |
108 | 108 |
|
109 | 109 | The following services are now currently in preview for Customer Lockbox: |
110 | 110 |
|
111 | | -- Azure Storage |
| 111 | +- Azure Storage |
112 | 112 |
|
113 | | -- Azure SQL DB |
| 113 | +- Azure SQL DB |
114 | 114 |
|
115 | | -- Azure Data Explorer |
| 115 | +- Azure Data Explorer |
116 | 116 |
|
117 | | -- Virtual machines (now also covering access to memory dumps and managed disks) |
| 117 | +- Virtual machines (now also covering access to memory dumps and managed disks) |
118 | 118 |
|
119 | 119 | - Azure subscription transfers |
120 | 120 |
|
|
0 commit comments